Find Out Why Continuous Endpoint Monitoring Is So Efficient In The Second Part Of The Carbanak Case Study – Charles Leaver

By | March 12, 2015

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Very Efficient


Convicting and obstructing malicious software before it has the ability to jeopardize an endpoint is fine. However this technique is mainly inadequate against cyber attacks that have been pre tested to evade this type of approach to security. The genuine issue is that these hidden attacks are conducted by knowledgeable human hackers, while traditional defense of the endpoint is an automatic process by endpoint security systems that rely largely on standard antivirus innovation. The intelligence of people is more creative and flexible than the intelligence of machines and will always be superior to automated defenses. This underlines the findings of the Turing test, where automated defenses are attempting to adapt to the intellectual level of a knowledgeable human hacker. At the current time, artificial intelligence and machine learning are not advanced enough to completely automate cyber defense, the human hacker is going to be victorious, while those attacked are left counting their losses. We are not residing in a sci-fi world where machines can out think people so you must not think that a security software suite will automatically look after all your issues and avoid all attacks and information loss.

The only real way to prevent a resolute human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) staff to do this, they must have complete visibility of network and endpoint operations. This kind of visibility will not be accomplished with standard endpoint anti-viruses suites, rather they are designed to stay quiet unless implementing a capture and quarantining malware. This conventional approach renders the endpoints opaque to security personnel, and the hackers use this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security personnel don’t know what was running across your endpoint population in the past, or at this moment, or what can be expected in the future. If diligent security personnel find clues that need a forensic look back to uncover attacker characteristics, your anti-viruses suite will be unable to assist. It would not have actually acted at the time so no events will have been recorded.

In contrast, continuous endpoint monitoring is constantly working – supplying real time visibility into endpoint operations, providing forensic look back’s to take action against brand-new evidence of attacks that is emerging and discover indications earlier, and offering a standard for typical patterns of operation so that it understands exactly what to anticipate and alert any irregularities in the future. Supplying not just visibility, continuous endpoint monitoring supplies informed visibility, with the application of behavioral analytics to identify operations that appear abnormal. Abnormalities will be constantly evaluated and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most concerning suspicious problems for security workers attention and action. Continuous endpoint monitoring will magnify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simplistic due to the fact that the majority of items (called high prevalence) resemble each other, but one or a small number (referred to as low prevalence) are different and stand out. These different actions taken by cyber wrongdoers have actually been quite constant in hacking for decades. The Carbanak technical reports that noted the signs of compromise ready examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to recognize something suspicious or unusual. Cyber security personnel will have the ability to carry out quick triage on these unusual patterns, and quickly identify a yes/no/maybe response that will distinguish unusual but recognized to be good activities from malicious activities or from activities that need additional tracking and more insightful forensics investigations to confirm.

There is no chance that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that signals suspect activity) along with a non-deterministic human element (that carries out alert triage). Depending upon the current activities, endpoint population mix and the experience of the cyber security workers, cultivating attack activity may or might not be revealed. This is the nature of cyber warfare and there are no guarantees. But if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unjust advantage.


Leave a Reply

Your email address will not be published. Required fields are marked *